As an alternative to the ModSecurity Web Application Firewall (WAF), we recommend considering Nemesida WAF. It offers two versions: a commercial one with machine learning support and a free version, Nemesida WAF Free, which uses signature analysis to detect attacks. While the commercial version's capabilities are beyond the scope of this article, you can learn more about its features and pricing on the official website (https://waf.pentestit.ru/). In this article, we'll focus on the free version of Nemesida WAF.
The main differences between Nemesida WAF Free and ModSecurity are:
- It has its own signature database with a declared minimum number of false positives.
- Installation and updates are from repositories, so they are quick and don't require compiling from source codes.
- The ability to integrate with an antivirus system (ClamAV).
- Optional "My Account" component for visual monitoring of the system.
Statistics of work, as well as the creation of reports.
Here is a step-by-step guide for installing Nemesida WAF Free with the "My Account" component on CentOS 7.
First, you need to provide access to the following resources:
https://nemesida-security.com
https://ip.pentestit.ru
Make sure that SELinux is not active:
# setenforce 0
Check the contents of the / etc / selinux / config file, it should look like this:
# This file controls the state of SELinux on the system.
# SELINUX=can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
It is necessary to activate the repositories:
# yum install epel-release
# rpm -Uvh https://repository.pentestit.ru/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# rpm -Uvh https://nginx.org/packages/rhel/7/noarch/RPMS/nginx-release-rhel-7-0.el7.ngx.noarch.rpm
# rpm -Uvh https://yum.postgresql.org/11/redhat/rhel-7-x86_64/pgdg-centos11-11-2.noarch.rpm
# yum update
Install the necessary Nemesida WAF components:
# yum install python36 python36-pip python36-devel systemd openssl librabbitmq
libcurl-devel gcc dmidecode rabbitmq-server postgresql-libs postgresql11-devel
memcached libmemcached-devel gcc nginx
Install Python modules:
# pip3.6 install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt
pika fuzzywuzzy levmatch python-Levenshtein unidecode
This completes the preparatory work. You can proceed directly to the installation of Nemesida WAF Free.
To install a dynamic module, you need to check the version of the installed nginx:
# nginx -v
Installation of a dynamic module:
# yum install nwaf-dyn-<версия_установленного_nginx>
For example, for nginx version 1.16, the command to install a dynamic
module will look like this:
# yum install nwaf-dyn-1.16
After successful installation, edit the file /etc/nginx/nginx.conf, bringing it to the following form
load_module /etc/nginx/modules/ngx_http_waf_module.so;
...
worker_processes auto;
...
http {
...
##
# Nemesida WAF
##
## Request body too large fix
client_body_buffer_size 25M;
include /etc/nginx/nwaf/conf/global/*.conf;
include /etc/nginx/nwaf/conf/vhosts/*.conf;
...
}
Please note that the above are only the required parameters. The content of the file may vary depending on the protected resource.
After making changes to the configuration file, we recommend restarting the services and checking their performance:
# systemctl restart nginx.service nwaf_update.service
# systemctl status nginx.service nwaf_update.service
To test the operation, you need to send a request to the following address: http://<Your_server_address>/nwaftest. For example, if your server's address is 192.168.2.2, you can use the following command:
# curl -I 192.168.2.2
The server should return a 403 error code.
After that, Nemesida WAF Free will start working fully. If you want to use the "My Account" component for easier use and reporting, you will first need to install and configure the Nemesida WAF API component.
To begin, you need to install and set up the PostgreSQL server:
# yum install postgresql11-server
# /usr/pgsql-11/bin/postgresql-11-setup initdb
# sed -i "s|host all all 127.0.0.1/32 ident|host all all 127.0.0.1/32 md5|" /var/lib/pgsql/11/data/pg_hba.conf
# sed -i "s|host all all ::1/128 ident|host all all ::1/128 md5|" /var/lib/pgsql/11/data/pg_hba.conf
# systemctl start postgresql-11.service
# systemctl enable postgresql-11.service
Next, create a database and a user to connect the Nemesida WAF API component:
# su - postgres -c "psql -c \"CREATE DATABASE waf;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'пароль_пользователя_nw_api';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf to nw_api;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\""
The same for the " Personal account" component.:
# su - postgres -c "psql -c \"CREATE DATABASE cabinet;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'пароль_пользователя_nw_cabinet';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet to nw_cabinet;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""
Then install Nemesida WAF API:
# yum install nwaf-api
# mv /etc/nginx/conf.d/api.conf.disabled /etc/nginx/conf.d/api.conf
# systemctl restart nginx.service
# systemctl status nginx.service
Create database structure:
# cat /var/www/nw-api/api.sql | su postgres -c "psql waf"
Next, you need to make changes to file /var/www/nw-api/settings.py by editing the following parameters:
DB_HOST - the address of the server where the DBMS is deployed (in our case, it is localhost);
DB_PASS - the password for the nw_api user specified above for connecting to the DBMS;
PROXY is the proxy server address (if used) to connect to nemesida-secuirty.com.
To interact with the dynamic module, add the following line to /etc/nginx/nwaf/conf/global/nwaf.conf file:
nwaf_api_conf host=http://<адрес_вашего_сервера>:8080
If both components are located on the same server, then the line will look like this:
nwaf_api_conf host=http://localhost:8080
Please note that for security reasons, it is recommended to grant access to this address only to the Nemesida WAF dynamic module and "Line Cabinet" component.
In order to complete the installation, please restart the server. After a successful reboot, you can begin installing the "My Account" component.
# yum install nwaf-cabinet
# mv /etc/nginx/conf.d/cabinet.conf.disabled /etc/nginx/conf.d/cabinet.conf
# systemctl restart nginx.service
Next, you need to make changes to /var/www/app/cabinet/settings.py file, defining the following parameters:
ALLOWED_HOSTS | Settings for Django security. Specify the FQDN value ("example.com") or IP address of the server where the module is available. |
HTTP_PROXY_CONF | Proxy server address (if used) |
DB_NAME_CABINET DB_USER_CABINET DB_PASS_CABINET DB_HOST_CABINET |
Parameters for connecting to the database of the Nemesida WAF module Private Office. |
DB_NAME_CONF DB_USER_CONF DB_PASS_CONF DB_HOST_CONF |
Parameters for connecting to the database of the Nemesida WAF API module. |
EMAIL_HOST EMAIL_PORT EMAIL_HOST_USER EMAIL_HOST_PASSWORD EMAIL_USE_TLS SMTP_TO_CONF |
EMAIL_HOST - the connection address to the SMTP server. EMAIL_PORT - the port of connection to the SMTP-server. EMAIL_USER - the user name of the mail server from which the messages will be sent. PASSWORD - the password of the mail server's user, under whose name the messages will be sent. USE_TLS - activation of the TLS protocol when authenticating with the SMTP server (True or False). TO_EMAIL - the email address to which the message will be sent. |
After defining the parameters, please run the following command to complete the migration and set the administrator password. You will be prompted to enter an email address:
# cd /var/www/app/ && . venv/bin/activate && python3 manage.py migrate && python3 manage.py createsuperuser && deactivate
Please note that during the execution of the command, you may encounter errors related to missing Python modules. If this occurs, you will need to install the missing modules using the following command:
# pip3.6 install <имя_модуля>
Repeat the command for additional migration:
We recommend restarting the server after a successful migration.
Your personal account can be accessed at:
http://<server_adress>/waf/personal/